https://community.splunk.com/t5/Splunk-Search/Extract-JSON-objects/m-p/562583#M196043 <P>Assuming columns is supposed to be an array of name/type pairs (added closing ]) and that there are supposed to be 9 of these pairs (added Comment), and that you have a properly formatted JSON string (added surrounding and closing braces), then you could do something like this</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"properties\": {\"nextLink\": null, \"columns\": [ {\"name\": \"Cost\", \"type\": \"Number\"}, {\"name\": \"Date\", \"type\": \"Number\"}, {\"name\": \"Charge\", \"type\": \"String\"}, {\"name\": \"Publisher\", \"type\": \"String\"}, {\"name\": \"Resource\", \"type\": \"String\"}, {\"name\": \"Resource\", \"type\": \"String\"}, {\"name\": \"Service\", \"type\": \"String\"}, {\"name\": \"Standard\", \"type\": \"String\"}, {\"name\": \"Comment\", \"type\": \"String\"}], \"rows\": [ [2.06, 20210807, \"usage\", \"uuuu\", \"hhh\", \"gd\", \"bandwidth\", \"azy\", \"HHH\"], [2.206, 20210807, \"usage\", \"uuuhhh\", \"ggg\", \"gd\", \"bandwidth\", \"new\", \"YYY\"]] }}" | spath path="properties.columns{}.name" output=columnnames | spath path="properties.rows{}{}" output=rows | streamstats count as event | mvexpand rows | streamstats count as row by event | eval index=(row-1)%mvcount(columnnames) | eval name=mvindex(columnnames,index) | eval {name}=rows | eval row=floor((row-1)/mvcount(columnnames)) | fields - columnnames name index rows | stats values(*) as * by row event</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Aug 2021 13:16:41 GMT ITWhisperer 2021-08-09T13:16:41Z https://community.splunk.com/t5/Splunk-Search/Extract-JSON-objects/m-p/562580#M196042 <P>How can i extract this:<BR />"properties": {"nextLink": null,<BR />"columns": [<BR />{"name": "Cost", "type": "Number"},<BR />{"name": "Date", "type": "Number"},<BR />{"name": "Charge", "type": "String"},<BR />{"name": "Publisher", "type": "String"},<BR />{"name": "Resource", "type": "String"},<BR />{"name": "Resource", "type": "String"},<BR />{"name": "Service", "type": "String"},<BR />{"name": "Standard", "type": "String"},<BR />"rows": [<BR />[2.06, 20210807, "usage", "uuuu", "hhh", "gd", "bandwidth", "azy", "HHH"],<BR />[2.206, 20210807, "usage", "uuuhhh", "ggg", "gd", "bandwidth", "new", "YYY"] ]<BR /><BR />No of columns can be increased.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Aug 2021 12:40:34 GMT https://community.splunk.com/t5/Splunk-Search/Extract-JSON-objects/m-p/562580#M196042 vishaltaneja070 2021-08-09T12:40:34Z https://community.splunk.com/t5/Splunk-Search/Extract-JSON-objects/m-p/562583#M196043 <P>Assuming columns is supposed to be an array of name/type pairs (added closing ]) and that there are supposed to be 9 of these pairs (added Comment), and that you have a properly formatted JSON string (added surrounding and closing braces), then you could do something like this</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval _raw="{\"properties\": {\"nextLink\": null, \"columns\": [ {\"name\": \"Cost\", \"type\": \"Number\"}, {\"name\": \"Date\", \"type\": \"Number\"}, {\"name\": \"Charge\", \"type\": \"String\"}, {\"name\": \"Publisher\", \"type\": \"String\"}, {\"name\": \"Resource\", \"type\": \"String\"}, {\"name\": \"Resource\", \"type\": \"String\"}, {\"name\": \"Service\", \"type\": \"String\"}, {\"name\": \"Standard\", \"type\": \"String\"}, {\"name\": \"Comment\", \"type\": \"String\"}], \"rows\": [ [2.06, 20210807, \"usage\", \"uuuu\", \"hhh\", \"gd\", \"bandwidth\", \"azy\", \"HHH\"], [2.206, 20210807, \"usage\", \"uuuhhh\", \"ggg\", \"gd\", \"bandwidth\", \"new\", \"YYY\"]] }}" | spath path="properties.columns{}.name" output=columnnames | spath path="properties.rows{}{}" output=rows | streamstats count as event | mvexpand rows | streamstats count as row by event | eval index=(row-1)%mvcount(columnnames) | eval name=mvindex(columnnames,index) | eval {name}=rows | eval row=floor((row-1)/mvcount(columnnames)) | fields - columnnames name index rows | stats values(*) as * by row event</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Aug 2021 13:16:41 GMT https://community.splunk.com/t5/Splunk-Search/Extract-JSON-objects/m-p/562583#M196043 ITWhisperer 2021-08-09T13:16:41Z